The Internet has become extremely popular because of the availability of data access means that can remove limits imposed by time and space, and because of the anonymity it bestows. But since the Internet is accessible to all, it is peculiarly susceptible to misuse by those wishing to commit network crimes; the benefits it confers are available to intruders and to ordinary users alike. Therefore, the number of unauthorized access attacks has increased and the range of the targets that are attacked has expanded, to the extent that it is difficult to identify an intruder and to fully apprehend why an attack was mounted. Furthermore, since at certain home pages on the Internet instructions and guidance for effecting unauthorized entries are readily available, for sale or for free, knowledge of how to mount intrusive attacks is widely disseminated and since it is apparent that the effectiveness of the procedures employed is constantly being improved, it is anticipated that illegal access attacks will occur ever more frequently in the future.
A problem encountered in providing adequate protection for systems, so as to prevent the occurrence of illegal accesses, is that the configurations of systems deserving protection tend to vary daily. For example, update packages are frequently released for the Linux operating system; each month, one or more modules are published to correct system defects or errors or to provide improved functions. Furthermore, the problem of providing adequate protection is further compounded since, as is mentioned above, the methods available for effecting illegal accesses are constantly being improved, as are the means for concealing the identities of intruders, which complicates the task of identifying them. Under the prevailing conditions, therefore, it is difficult to devise a specific protection system that can absolutely prevent all illegal accesses. For the above described reasons, a system that can prevent the occurrence of large numbers of illegal accesses is urgently needed.
Crimes committed using the Internet include mail bombings, denial-of-service attacks, unauthorized intrusions, and the transmission of slanderous, malicious gossip. In many cases, in the commission of these crimes, to hide their identities attackers employ systems whereby their transmissions are routed via third parties. Such a system, whereby a third party is involuntarily involved, is called a stepping-stone computer system.
A method used for an illegal intrusion will now be described while referring to FIG. 1. In the schematic diagram in FIG. 1, an attacker's computer 11 is used to effect an illegal intrusion of a targeted host 16 via a plurality of host computers 12 to 15, and a network 17 to which these computers are connected. In this setup, the routing of packets on the network 7 is controlled by a router 18. So in order to hide his or her identity, the attacker, hereinafter referred to as the attacker 11, attacks the target host 16 via one or more of the steppingstone computers 12 to 15.
In order to assume control of the stepping-stone computers that are to be employed, the attacker 11 exploits perceived system setup inadequacies or OS bugs to access them. Thereafter, to attack the target computer 16, the attacker 11 transmits data packets via the several stepping-stone computers 12 to 15 to the target computer 16. To assault the target computer 16, the attacker 11 employs what is called an illegal access chain, for which telnet or rlogin is employed or a changed port number.
Given the current Internet environment, it is not easy to trace backward along an illegal access chain. Only the IP address of the stepping-stone host immediately before a targeted computer can be extracted from a packet header. Therefore, generally, when an attempt is made to obtain the address of the host that precedes the last stepping-stone host, permission to do so is denied and further analyzation and tracing of the access chain continued because management of the stepping-stone hosts is being exercised by the third party. Therefore, it is difficult for the sources of packet used to effect an illegal access to be obtained and for transmission source addresses to be traced back in order.
Therefore, a system has been studied that would provide for the automatic tracing of an illegal access chain. Depending on the location of tracing components, the illegal access tracing method can be roughly classified as having two subdivisions: a “host base” process and a “network base” process. According to the host base process, a tracing component is located at each host, while according to the network base process, a tracing component is located at the infra (e.g., a router or a switch) of a network. The following host base tracing methods are also used.
DIDS (Distributed Intrusion Detection System)
This system, which originated at University of California at Davis but which is presently being developed by Trident Data Systems Corp., monitors all TCP connections and logins occurring on a network over which it exercises control. Thus, the system constantly collects information concerning all activities within the area of its responsibility and monitors changes in the state of the network that occur as a result of user logins. Monitors, one of which is located at each host, collect information relative to network accesses by the local hosts, and transmit the information to a central DIDS director. The central DIDS director is thus able to collectively manage the state of the network state. The procedures and methods employed for this technique are explained in detail in “DIDS (Distributed Intrusion Detection System)—Motivation, Architecture, And An Early Prototype,” S. Snapp et al., Proceedings of the 14th National Computer Security Conference, 1991.
CIS (Caller Identification System)
This system confirms a transmission source at the time of a login. When a user seeks to log in to an N-th host, via N-1 hosts, to obtain a list of preceding hosts, the CIS system queries in turn the (N-1)th host and the first to (N-2)th hosts. When the CIS system confirms that the results of the inquiries indicate that no illegal activities have occurred, it permits the login. This system is used to control accesses between the hosts that are managed, and it is a premise that the CIS is introduced into the host that is managed. The procedures and methods employed for this technique are explained in detail in “Caller Identification System in the Internet Environment, H. T. Jung et al., Proceedings of the 4th Usenix Security Symposium, 1993.
Tsutsui's system
In this system, which is disclosed in U.S. Pat. No. 5,220,655, data concerning users who have accessed hosts and data concerning the processes are stored in the file system at each host, and when a trace request is received, the data are read and the tracing is performed in order to establish the access chain. If the tracing request is submitted to a different management domain, the management host for the pertinent domain collects the required information and returns it to the requesting source. A tracking service process must be operational at each host.
System provided by Hirata, et al.
According to this system, which is disclosed in Japanese Unexamined Patent Publication No. Hei 10-164064, at each host a process and a port number for a connection associated with the local host are stored in an access log recording unit, and a basic control program exchanges access information with other hosts and traces access chains. Since all the processing required to trace a communication route is performed by the basic control program, application processes running on the host need not be aware of any of the procedures that are being performed.
The problem with the above host base methods is that when an access chain is being traced and a host is reached that is not running one of these systems, the tracing process is halted at that point, continuing no further. This can occur with regularity, since on the Internet it is rare indeed for a specific home base system to be adopted by all hosts in all management domains. Further, even if a host is one that is being managed by a host base system, an intrusion may have occurred at that host and the program associated with the tracing process may have been rewritten. It is not realistic, therefore, to expect a host base system to be reliably executed in the Internet environment.
Another system that may be considered is a Caller ID system that has been reported by the U.S. Navy. To find an illegal user, this system performs a backward trace of the hosts that were illegally accessed and used as stepping-stone computers. This tracing system performs a backward search by employing the same method as that used by an intruder to illegally gain access to the stepping-stone computers. While the side conducting the search maintains that they must access the stepping-stone computers, they insist that their access is permissible because an intrusion had already occurred at the host computers. But during an actual tracing exercise, gaining access to a computer is difficult or impossible because the intruder who accessed it illegally may have corrected the hole in the security. Also, under the circumstances gaining access to the computer of a third party could be considered to be a new crime.
A network base method will now be described.
According to a study by Staniford-Chen, only the contents of communication data are focused on, and an illegal access chain is traced with the assumption that the character value of the data (distribution of the communication character types) is unique for each session (each intrusion), and is substantially the same for each connection in an access chain. At as many locations (the router, etc.) as possible on a network, character values are calculated and stored at specific time intervals each session. If an intrusion is found, multiple points on the network are examined to find a point having a character value that is similar to that recorded during the session. As a result, the hosts on the access chain can be identified. The procedures and methods employed for this technique are described in “Holding Intruders Accountable on the Internet,” Stuart Staniford-Chen and L. Todd Heberlein, Proceedings of the 1995 IEEE Symposium on Security and Privacy, Oakland, Calif., 1995.
The merits of this system are that a storage log can be maintained that requires only a small memory capacity, and that the processing is easy because only the log for calculating the character value of communication data need be stored. However, since this system depends on the contents of communication data, it can not cope at all with content data that have been changed by encrypting or by language code replacement.
Another technique that may be used involves the employment in a network of a calculator monitoring system, as is disclosed in Japanese Unexamined Patent Publication No. Hei 9-2114493. When an abnormality is found in the calculator monitoring results, a log collection unit collects the traffic logs maintained by the calculator.
The tracing systems of the host base type are not appropriate for a network, such as the Internet, on which various management rights are exercised. The network base Thumbprinting that employs the data contents as reference material is a quite effective system, however, at the present time, now that encrypted communication has been become so popular, regardless of how the network base Thumbprinting system is developed, such an access chain tracing system does not hold out great promise of developing into a viable system.
It is, therefore, one object of the present invention to provide an access chain tracing method whereby, even if this method is introduced only in part of a network, a host on an access chain can be identified within the range covered by this method, and to provide an access chain tracing system therefor.
It is another object of the present invention to provide an access chain tracing method and an access chain tracing system that can cope with a case wherein data contained in a packet are encrypted en route, or language code is transformed.
It is an additional object of the present invention to provide an access chain tracing method whereby, from among a plurality of hosts on an obtained access chain, the nearest host to an attacker can be easily identified, and an access chain tracing system therefor.
It is a further object of the present invention to provide an access chain tracing method and an access chain tracing system for which only a small memory capacity is required to store data in a packet that is needed when an access chain is being traced.
It is a still further object of the present invention to provide an access chain tracing method whereby the contents of the data in a packet are not stored and communication privacy can be protected, and an access chain tracing system therefor.